Cyber Resilience

CVE-2026-23530

HighPublic PoCUpdated

Published: 19 January 2026

Published
19 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0060 44.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23530 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Freerdp Freerdp. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 44.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23530 is a heap buffer overflow vulnerability in FreeRDP, a free implementation of the Remote Desktop Protocol, affecting versions prior to 3.21.0. The flaw occurs in the `freerdp_bitmap_decompress_planar` function, which does not validate the `nSrcWidth` and `nSrcHeight` parameters against `planar->maxWidth` and `maxHeight` before performing RLE decompression. Classified as CWE-122, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A remote attacker controlling a malicious RDP server can exploit this issue against a connecting FreeRDP client by sending crafted bitmap data. No user privileges or interaction are required, enabling low-complexity network-based attacks that trigger a client-side heap buffer overflow. This results in application crashes for denial of service, with potential heap corruption that could lead to code execution depending on the memory allocator and surrounding heap layout.

FreeRDP version 3.21.0 includes a patch resolving the vulnerability. Mitigation involves updating to this version or later, as detailed in the project's release notes and security advisory (GHSA-r4hv-852m-fq7p). Code changes addressing the validation are visible in the affected planar.c source files.

EU & UK References

Vulnerability details

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap…

more

corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap buffer overflow in FreeRDP client exploitable by malicious RDP server via crafted bitmap data enables remote code execution through client application vulnerability.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23532Same product: Freerdp Freerdp
CVE-2026-23531Same product: Freerdp Freerdp
CVE-2026-44421Same product: Freerdp Freerdp
CVE-2026-23533Same product: Freerdp Freerdp
CVE-2026-22854Same product: Freerdp Freerdp
CVE-2026-31806Same product: Freerdp Freerdp
CVE-2026-40033Same product: Freerdp Freerdp
CVE-2026-23534Same product: Freerdp Freerdp
CVE-2026-31883Same product: Freerdp Freerdp
CVE-2026-33986Same product: Freerdp Freerdp

Affected Assets

freerdp
freerdp
≤ 3.21.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identification, reporting, and timely patching of flaws like the heap buffer overflow in FreeRDP's freerdp_bitmap_decompress_planar, as fixed in version 3.21.0.

prevent

Requires validation of information inputs such as nSrcWidth and nSrcHeight against maxWidth and maxHeight prior to RLE decompression to prevent the buffer overflow.

prevent

Implements memory safeguards like non-executable heap regions and randomization to mitigate code execution risks from heap corruption caused by the unvalidated bitmap decompression.

References